Entanglement-Enhanced Quantum Key Distribution 



OO 
O 

o 

o 
O 



> 
O 



OUi Ahoncn,^ Mikko Mottonen/' ^' ^ and Jeremy O'Brien'* 

'Department of Engineering Physics, Helsinki University of Technology, P.O. Box 5100, FI-02015 TKK, Finland 
^Australian Research Council Centre of Excellence for Quantum Computer 
Technology, The University of New South Wales, Sydney 2052, Australia 
^Low Temperature Laboratory, Helsinki University of Technology, P.O. Box 3500, FI-02015 TKK, Finland 
"* Centre for Quantum Photonics, H. H. Wills Physics Laboratory & Department of Electrical and Electronic 
Engineering, University of Bristol, Merchant Venturers Building, Woodland Road, Bristol, BS8 1 UB, UK 

(Dated: October 7, 2008) 

We present and analyze a quantum key distribution protocol based on sending entangled A''-qubit 
states instead of single-qubit ones as in the trail-blazing scheme by Bennett and Brassard (BB84) . 
Since the qubits are sent and acknowledged individually, an eavesdropper is limited to accessing 
them one by one. In an intercept-resend attack, this fundamental restriction allows one to make the 
eavesdropper's information on the transmitted key vanish if even one of the qubits is not intercepted. 
The implied upper bound 1/{2N) for Eve's information is further shown not to be the lowest, as 
the information can be reduced to less than 30% of that in BB84 in the case N = 2. In general, the 
protocol is at least as secure as BB84. 

PACS numbers: 03.67.Dd, 03.65.Ud, 42.50.Dv 



I. INTRODUCTION 

Quantum information science [l| has emerged to an- 
swer the question: "What additional power and func- 
tionality can be gained by processing and transmitting 
information encoded in physical systems that exhibit 
uniquely quantum mechanical behavior?" Anticipated fu- 
ture quantum technologies include: quantum computing 
[U, Q , which promises exponential speed-up for particu- 
lar computational tasks; quantum metrology which 
allows the fundamentalprecision limit to be reached; and 
quantum lithography , which could enable fabrication 
of devices with features much smaller than the wave- 
length of light. The most striking quantum technologies 
that have already reached commercial realization are in 
the area of quantum communication. 

Quantum key distribution (QKD) offers secure com- 
munication based on the fundamental laws of physics — 
namely, that measurement of a quantum system being 
used to transmit information must necessarily disturb 
that system, and that this disturbance is detectable Q. 
The first QKD scheme was proposed by Bennett and 
Brassard in 1984 (BB84) and is based on generating a 
cryptographic secret key between two distant parties, Al- 
ice and Bob, by sending a random bit string encoded and 
measured in one of two randomly chosen mutually unbi- 
ased bases of a single qubit Photons are the logical 
choice for transmitting quantum information and were 
used in the first experimental realization of BB84 
Since then there have been several important theoretical 
improvements and experimental demonstrations of BB84 
and other QKD protocols [1, d, M, M, [H, IH, Q [H, [ill , 
which have culminated in commercial QKD systems. A 
major challenge facing future practical quantum net- 
works is to increase the rate at which the secure key 



is generated. Most efforts in this direction are focused 
on improving the underpinning technology 0]. Here we 
propose an alternative approach based on improving the 
underlying QKD protocol, which has been inspire d by 
recent developments in optical quantum computing [17| . 

The ability to reliably entangle photons is a major 
goal of quantum information processing and quan- 
tum communication. Recent demonstrations of strong 
coupling between semiconductor quantum dots and pho- 
tonic crystal cavities has been reported [H, [H, . The 
generation and transfer of photons on a photonic crystal 
chip has been demonstrated [2l|, to geth er with entan- 
gling photonic logic gates all in fibre |22| , and in waveg- 
uides on silicon chips [11]. The breakthrough proposal 
based on measurement induced nonlinearities |24l | , capa- 
ble of entangling photons for optical quantum computing, 
was followed by important demonstrations of entangling 
logic gates [25|,[2l,[23]. Recently, attention has focused on 
generating entangled states of many photons, and it was 
shown that atom-cavity systems can be used to generate 
an arbitrary entangled state of N photons [111 . Thus the 
technology for performing an entangling transformation 
on several photons is now within sight. 

Here we present a novel QKD protocol whose security 
is lower-bounded by BB84. The insight of the proco- 
tol relies on Alice entangling groups of qubits prior to 
their one- by-one transmission. Because successive qubits 
in each group are transmitted only after confirmation of 
reception by Bob, an eavesdropper only has access to 
the transmitted information one qubit at a time. The 
eavesdropper is thus unable to perfectly undo the entan- 
gling transformation even if aware of it. Qubits from 
different entangled groups can be sent interleaved to 
keep the quantum channel utilization high. We present 
the maximal mutual information on the established key 
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provided by any intercept-resend (IR) attack, and also 
the corresponding induced disturbance, quantified by the 
quantum bit error rate (QBER), for several entangling 
transformations. We show that only small groups of 
qubits need to be entangled for substantial gains: Uti- 
lizing two-qubit entanglement, it is possible to signifi- 
cantly reduce an eavesdropper's maximal information on 
the key, e.g., to less than 30% of that in BB84 for a 
fixed QBER < 25%. Furthermore, another multi-qubit 
entangling transformation reduces the information gain 
to zero in the case where the IR attacker intercepts all 
but one of the qubits, which is shown to restrict the max- 
imal information gain to 1/(2N). Finally, we present a 
rough estimate of the key generation rate for the optimal 
two-qubit protocol. 



II. THE PROTOCOL 

In our protocol, the initiator, Alice, generates a num- 
ber of random bits, handled in groups of N. Each group 
is an outcome of the random variable A = A1A2 ■ ■ ■ An 
composed of the binary random variables A,;, for which 
the probabilities arc p{Ai = 0) = p{Ai = 1) = i, 
i = 1, . . . , N. Let the bit string a ~ 0102 ■• • denote 
the outcome of A. These bits form Alice's raw key. 

Alice uses a public quantum channel to transmit the 
raw key to the recipient. Bob. The basis of each qubit 
is random, being the eigenbasis of the Pauli matrix cr^, 
{|0), |1)} or that of a„ {|+) = (|0) + |l))/^/2, \~) = (|0)- 
|l))/-\/2} with equal probability. Let a — aia2 ■ ■ ■ un, 
with each a; € {z,x}, denote Alice's basis choices for an 
A^-bit group. 

Before transmission, Alice applies a fixed A^-qubit gate 
Un, declared in public, to each group ai)}fLi. Thus 
the qubits arc, in general, entangled. She then sends 
the qubits one by one to Bob, always waiting for Bob to 
acknowledge each qubit on a public authenticated clas- 
sical channel before sending the next one. This wait- 
ing does not decrease the transmission rate: Individual 
qubits from different groups can be sent interleaved. Bob 
waits for N qubits to accumulate, and applies to the 
group. He projectively measures each qubit in the 
or ax eigenbasis, chosen at random, and obtains his raw 
key, consisting of the measurement results bi £ {0, 1}. 
Figure [1] shows the protocol as a quantum circuit for the 
N qubits. The quantum non-demolition (QND) mea- 
surements needed for Bob to detect the reception of each 
qubit are not shown. The QND measurements can be 
performed with high fidelity, as is demonstrated, for in- 
stance, in Ref. [2^. 

After the quantum transmission, Alice and Bob com- 
pare their basis choices over the classical channel, and 
discard the raw-key bits for which their bases did not co- 
incide. Note that the entire A^-bit group need not be dis- 
carded, only the individual incompatible results. The re- 
maining bits form the participants' sifted keys which may 
still contain differences due to noise or eavesdropping on 
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FIG. 1: Quantum circuit for the proposed protocol with the 
intercept-resend attack. The circuit is repeated until a large 
enough number of bits has been transmitted. The required 
classical communication is not shown. Semicircles represent 
projective measurements. Gate Un is an A'^-qubit entangler 
announced in public. Gate R{p,'y) rotates a qubit by the 
angles 7 and /? with respect to z and y axes, respectively. 
Each m, Ei, and bi is a binary variable representing a bit in 
Alice's, Eve's, and Bob's raw key, respectively. 



the quantum channel. Based on these differences, Alice 
and Bob estimate the QBER, defined formally in Sec. lIIII 
If the observed QBER is less than 15%, errors can be 
corrected by a classical error correction (EC) procedure, 
e.g., by one described in Ref. [sO]- If eavesdropping is 
suspected, Alice and Bob employ privacy amplification 
which shortens the key and reduces any eavesdropper's 
information on it to an arbitrarily low value. For QBER's 
in the range 15-25%, less efficient quantum privacy am- 
plification or classical advantage distillation techniques 
can be used to arrive at a secure and error-free key 



III. ANALYSIS 

First, we point out that our protocol cannot be less se- 
cure than BB84, even if Eve is allowed any attack strat- 
egy. Giving Eve full control of the gates Un and 
shown in Fig. [T] reduces the protocol to BB84 facing a 
coherent attack. Thus, the proofs of security for BB84 
with coherent attacks allowed (Ref. [3l| and references 
therein) also apply to our protocol, and Alice and Bob 
can ensure the secrecy of the generated key in our proto- 
col, as well. 

We continue our more refined analysis by studying the 
protocol under the IR attack. Potentially more efficient, 
e.g., cloning, attacks are to be studied in future work. In 
all attacks, the goal of the attacker is to obtain a copy of 
the sifted key for a minimal increase in the QBER, which 
is the only indicator of careful eavesdropping to Alice and 
Bob. In BB84, the IR attack is succinctly described as 
the eavesdropper. Eve, measuring the transmitted qubits 
in z or a; basis and resending the obtained results to Bob. 
Independent of Eve's choice of basis, she obtains on av- 
erage at most 0.5 bits of information on each bit of the 
sifted key, and induces an average QBER of at least 25% 
0. A slightly better strategy for Eve is to clone each 
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qubit imperfectly and measure the clone state |32l |. The 
more information Eve extracts on the key, the larger the 
induced error rate is. Eve can also choose to interfere only 
with a fraction ^ G [0, 1] of the transmitted qubits. Eve's 
maximal information as a function of QBER is shown in 
Fig. [2] for these attacks. 
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FIG. 2: Eve's information per bit on Alice's sifted key as a 
function of the observed QBER for BB84 with cloning and 
intercept-resend (IR) attacks (dashed lines), and for our pro- 
tocol using U2 = (^(351%- 155) with the corresponding op- 
timal IR attack (solid line). The arrow shows the effect of 
engaging U2 while keeping the fraction of intercepted qubits 
^ = 0.8 constant. 

In our protocol, Eve's choice of basis has a signifi- 
cant impact on her information and the induced QBER. 
Hence, wc allow Eve to measure each qubit in any ba- 
sis. This is equivalent to allowing Eve arbitrary singlc- 
qubit gates, and measurements in the z basis. For the 
group of N qubits. Eve's measurement results are the 
outcomes e = 6162 ■ ■ ■ sn of the random variable E, with 
each Bi G {0, 1}. 

Once Eve has measured a qubit. the result rep- 
resents her best guess on Alice's corresponding key 
bit. Therefore, to minimize the QBER, she constructs 
the state \ei] z) and then undoes the previously ap- 
plied single-qubit gate before sending the qubit to Bob. 
Any single-qubit gate can be written as three succes- 
sive rotations about the Bloch-sphere axes y and z, 
Rz{(f)Ry{P)Rz{'j)e^'^ . Since Eve measures in the z ba- 
sis, the final rotation Rz{^p) has no effect on the result. 
The global phase cj) is irrelevant as well. Eve's attack is 
thus parametrized by the single-qubit gate rotation an- 
gles {(/3i,7i), . . . , (/3Ar,7Af)}- 

The information Eve gains on the key is quantified by 
the mutual information of the random variables A and 
E, defined as [l| 

I{A,E) = j^[H{A)+H{E)-HiA,E)], (1) 

where H{-) denotes the Shannon entropy and H{-,-) 
the joint entropy. The factor ensures that Eq. ([T|) 
yields the mutual information per bit, since A and E 
are both iV-bit entities. The entropies must be averaged 



over Alice's choice of bases a which Eve eventually 
finds out. Thus, H{A,E) = jrrJ2a H^iA, E) = 
-wT.a,a,ePi'^'^\'^)^og2p{a,e\a), and H{E) = 

W^a^a{E) = -27!rEa,eP(e|")log2P(e|a): where 
the probabilities are conditioned on a. The entropy 
H{A) = N. 

The QBER is defined as the average probability of a 
bit flip in the sifted key. For each individual qubit j = 
1, ... ,7V it is 

^ X 1 

a j —z aj—0 

where Bj is the random variable giving Bob's measure- 
ment result bj of jth qubit, and the bar denotes the log- 
ical NOT operation. The QBER used in the following 
analysis is the average of the QBER's of the qubits. 

For Alice and Bob to accept the sifted key for post- 
processing, the fraction of eavesdropped qubits ^ must 
be such that QBER < 0.25. Typically, they set a suit- 
able threshold value for acceptance Q in this regime, 
where the information gain of the eavesdropper is linear 
with respect to QBER in the IR attack. Therefore, Eve's 
maximal information for a given QBER is determined by 
the maximum of the ratio I {A, i?)/QBER. 

The final bit rate Rnct is an important measure of effi- 
ciency for a QKD protocol. This is the rate at which Alice 
and Bob accumulate shared secret key bits, which contain 
no errors, and on which Eve's information is negligible, 
i.e., below a known bound controlled by Alice and Bob. 
Since the transformations Un and provide no new 
capabilities for Eve under the coherent attack model for 
BB84, the final bit rate of our protocol cannot be lower 
than in BB84, with an ideal quantum channel. However, 
innocent noise in the quantum channel may change this 
setting. 

Let us present a recursive construction for the gate 
Un which bounds the information of an IR attacker to 
at most 1/(2A^) for any QBER, a proof of which is given 
in the Appendix. We denote this gate by C/^. The gate 
has two equivalent versions of different parity: If^ ^^^^ 
and C^^odd' either one can be used as U"^. We de- 
fine C/*evcn = -^1' the one-qubit identity operation, and 
^*odd = '^v unitary {N + l)-qubit gate is obtained 
with the following rule: 

U*+, ^1=[I,(^U*± lay ® (PnU*)] , (2) 

where Pn = cry (g) lf>^-^ if N >2 and Pi ^ ay. At each 
step, either of the two signs can be chosen. 

The fact that, with gate U"^, Eve cannot miss even a 
single qubit unless she is content with zero information 
gain also protects the key distribution against photon- 
number splitting (PNS) attacks If the probability 
of an unwanted multi-photon pulse is e and events are 
independent, the probability that Eve gains any infor- 
mation decreases at least as e^. 
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In what follows, we study the case iV = 2 in 
more detail. Arbitrary two-qubit gates have 16 de- 
grees of freedom, several of which have no effect on 
Eve's maximal information. First fixing the global 
phase of the gate and then following the treat- 
ment in Ref. [3J], we obtain U2 ~ (fc2,i ® ^2,2) x 
exp [| (ci ax®ax+ C2 Oy® (jy^ C3 ® (Tz)\ x (^la ® 
^1,2)7 where fcj./ are one-qubit gates and the middle 
gate, C(c), has parameters c = (ci, 02,03) with each 
Cj G [0, 27r]. The local operation ^2,1 ® /c2,2 can be di- 
rectly undone by Eve, and is thus of no use to Alice and 
Bob. Hence, the interesting two-qubit gates are of the 
form C(c)(fci_i ® ^1,2)- To simplify the calculations, we 
set k\^\ ~ fci.2- Removing this restriction can only im- 
prove the results presented in Sec. IIVI 



achieves the maximal information 2^ = 0.25 by changing 
one of her measurement bases from to Uy . 
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IV. RESULTS 

Figure [3] shows Eve's mutual information on Alice's 
sifted key in the case N ~ 2, for an IR attack carried out 
using the eigenbasis. The plot is obtained by a uniform 
sweep over the parameters c £ [0, 2tt]^^, over which Alice 
can optimize the protocol. In the upper set of points. Eve 
always measures both entangled qubits, and in the lower 
set only one of them. It makes no difference which qubit 
is measured, since here the gate U2 is symmetric with 
respect to the two entangled qubits. 
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FIG. 3: Eve's mutual information on Alice's sifted key as a 
function of the induced QBER for different gates U2 = C{c). 
Eve uses the IR attack and measures in the eigenbasis. 
The red dots (blue crosses) corresponds to Eve measuring 
both (only one) of the two entangled qubits, in which case 
Eve's maximal mutual information is between 0.5 and 0.125 
(0.25 and 0). 

The topmost point in each set corresponds to U2 being 
the two-qubit identity operation, with which our proto- 
col reduces to BB84. At the undermost points of the two 
sets, U2 = C(0, f , 0) = [/^ = (/i ® /i + iay ® (jy) /V2. 
As C2 increases from to 5, the protocol continuously 
shifts from BB84 to the ?7*-enhanced protocol. Eve 



FIG. 4: Eve's mutual information on Alice's sifted key as 
a function of the induced QBER sampled over all possible 
measurement bases for Eve. The entangling gate is fixed to 
U2 = C(c*), where c* = (^,^,^). The red dots (blue 
crosses) correspond to Eve measuring both (only one) of the 
two entangled qubits, in which case Eve's maximal mutual 
information is between and 0.2237 (0 and 0.0284). 

Next, we show how to improve on the 1/(27V) bound 
in the case N = 2. We allow Eve to use any measure- 
ment bases. Thus, the task of finding the optimal C(c) 
becomes a twofold optimization problem: Alice and Bob 
wish to minimize the maximal information Eve can ob- 
tain for a given QBER. We are thus interested in find- 
ing the value miuc maxj^^ ^32,72} [I {-A., E) / QBER] and 
the optimizing parameter values. We perform the opti- 
mization with the simplex search method [s^ . One of 
the optimal choices of parameters for Alice and Bob is 
c* = (^, ^, ^), which leads to I{A,E) « 0.2237 and 
QBER = 0.375 for ^ = 1. Given U2 = C(c*), an opti- 
mal choice for Eve is (/3i,7i,/?2,72) = (f'O'f'i)- Eve's 
maximal information as a function of the QBER is shown 
as the sohd line in FigM For a fixed QBER < 25%, Eve's 
information drops to less than 30% of that in BB84. 

Figure 2] elaborates on the consequences of Eve's 
choices given U2 = C{c*). In the upper (lower) set of 
points, Eve measures both (only one) of the qubits in dif- 
ferent bases. The plot is generated by a uniform sweep 
over (/3i, 71, /?2, 72) & [0, 27r]^'*. Alice's gate is fixed to 
C(c*) which, unhke U*, is observed not to guarantee 
zero but still less than 0.03 bits of information leakage 
for one-qubit interceptions. 

Let us present an approximate comparison between our 
protocol and BB84 in terms of the final bit rate. Follow- 
ing Ref. (36j , we assume that during error correction Alice 
and Bob must exchange 

nHi^iniq) = ?i[-glog2 q-il-q) log2(l - q)] (3) 

bits, where n is the length of the key material, and q the 
QBER. We further make the safe assumption that this is 
the information, in bits, that is leaked to Eve. In BB84, 
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Eve's information per bit after EC is 

/|a«4(g) = 2q + i7bi„(<z). 



(4) 



Let the optimal N = 2 setting represent our protocol, 
where Eve's information after EC is 



I^^^{q)=sSq + HuniSq), 



(5) 



where s = 0.5965 is the slope of the I{A, E) curve shown 
in Fig. [21 The observed QBER is denoted by 5q, so that 
6 is the factor by which the use of U2 = C{c*) changes 
the QBER. The absolute key rate depends heavily on the 
practical implementation of the protocol, and we there- 
fore use the relative key rate r = RnctI Rsifti where i?sift 
is the rate at which sifted key bits are generated. We 
have 0] 



r{q) = I[A,B)-I{A,E) 

= l-Hun{q)-I{A,E) 
= l-lEciq) 



(6) 



for both protocols. 

In the following, we fix the QBE R to q = 6%, a typical 
value in a practical realization [371 . Issl . [sol . l40j . Then, the 
relative key rate is r'BB84 = 0.553 in BB84. The relative 
key rate for our two-qubit protocol is shown in Fig. [5] 
together with a protocol, for which s ~ 0. For example 
a.t S — 1 for both protocols, the gain of the two-qubit 
protocol over BB84 is 70% of that of the protocol with 
s = 0. The relative key rate of BB84 is recovered at 
S = 1.323. Determining the exact value of 6 and ways to 
decrease it is left for future research. 




FIG. 5: Relative key rate as a function of the yet unknown 
factor S by which the scheme changes the QBER. The solid 
line represents our protocol with U2 = C(c*). The dashed 
blue line shows the rate for a maximally improving gate, i.e., 
one which hides all information sent via the quantum channel 
(s = 0). The dotted red line shows the rate for BB84. The 
QBER in BB84 is fixed to 6%. 



V. CONCLUSIONS 

Our results show that entanglement can be employed 
to considerably improve the BB84-type key distribution, 
even in the case of two-qubit entanglement. The new 
protocol can be directly adapted to the several variants 
of BB84. We have demonstrated one promising scheme, 
where an IR eavesdropper must intercept every qubit in 
the entangled group to gain any information. Unfortu- 
nately, loss of qubits may pose a problem not only for 
Eve, but also for Bob. If one of the entangled qubits 
is completely lost, the QBER of the remaining qubits 
is likely to increase. Therefore, this protocol cannot be 
recommended for use at extreme distances where most 
transmitted qubits are lost Making the protocol 

robust against qubit loss is a goal for future research. 

Since the dimension of the total Hilbert space increases 
exponentially with the number of qubits, and the dimen- 
sion of the subspace Eve can directly access increases only 
linearly, our scheme is expected to show even more pro- 
nounced benefits if applied to many-qubit entanglement. 
Further optimization for an arbitrary number of entan- 
gled qubits and assessment of more potential attacks is 
to be carried out in the future. Potential future research 
also includes methods for distinguishing between inno- 
cent noise in the quantum channel and that caused by 
eavesdropping, and determining the exact dependence of 
QBER on the innocent noise. The latter would enable 
definitive evaluation of the protocol final bit rate. 
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APPENDIX 

We show that the gate C/^ defined in Sec. IIIII re- 
stricts the information provided by an intercept-resend 
attack to at most 1/(2A^). First, note that ay\aj;aj) = 
\aj;aj) for j = 1,...,N. We claim that single- 
qubit measurements in any basis, applied to state 
(|ai; ai)|a2; 02) • • • |ajv; ajv)), give uniformly random 
results until the last, A^th, one. Thus it is not until the 
last measurement that Eve gets any information with the 
IR attack. Let us refer to this randomness of the first 
iV — 1 measurements as property TZ. 

To prove this first claim, we note that the trans- 
mitted states for gates U^^vcn f^?odd ^^'^^ 
spectively, (|ai; Q;i)|a2; ± i|ai; ai)|a2; 012)) />/2 and 
(|ai; Q;i)|a2; a2) ± i|ai; ai)|a2; a2)) /v^, on which the 
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first singlc-qubit measurement, in any basis, gives a uni- 
formly random result. Hence, gates J/*^ 
have property TZ. 
We write 



and f72*odd 



U. 



1 



N,V 



E 

1=1 



(Al) 



where the parity V is even or odd. and u^y p is a unique 
tensor product of operators Ii and ay, with an even or 
odd number of operators ay according to the parity V. 
The parity is invariant under the application of Eq. ((2|). 
As the total number of different A^-qubit tensor products 
of Ii and (Ty is 2^ and half of them have an even number 
of operators ay , the sum in Eq. (|Aip contains all possible 
M^v -p of the given parity V. It follows that any permu- 
tation of qubits in the state C/^ ^ (|ai; ai) • • • |ajv; aAr)) 
results in essentially the same state, i.e., only the phases 
of the different terms change, which has not effect on the 
outcome of the following measurement. Hence, we can 
assume that the leftmost qubit is measured first, with- 
out restricting Eve's actual order of measurements. Thus 
the application of the gate U"^ is not limited to IR attack, 
for which the measurement order of the eavesdropper is 
determined by Alice. 

According to Eq. the outcome of measuring the 
leftmost qubit in the state C/^-p (|ai;ai) •• • \aN',ctN)) is 
uniformly random. Moreover, a correct result leads to 
the remaining state to be that resulting from application 
of gate U'^_^-p, i.e., the gate of the same parity. An 



incorrect result leads to the state corresponding to U'^_-^ 
of different parity. Thus, gate If^ has property 7?. for all 
A > 1. As Eve measures the qubits, she unwinds the 
recursion of Eq. ([2]) through even and odd states while 
learning nothing of the key until the remaining state has 
A = 1. 

Let El and En denote the random variables of the 
outcomes of the first A^ — 1 measurements and the final, 
A^th measurement Eve makes, respectively. Denote the 
conditional entropy of Ej^ as = H{En\A, Ei). Note 
that < /lAT < 1. If C/^ is used, I{A,Ei) = 0. The en- 
tropy H{Ei ) = A — 1. Using the definition of conditional 
entropy H{X\Y) = H{X,Y) - H{Y), we obtain 



IiA,E) 



1 

N 
1 

N 
1 

N 
1 

N 



[2N^HiA,Ei,EN)] 

[2A - IiN - H{Ei\A) - H{A)] 



[A 



IN 



H{Ei)] 



(A2) 



where we have recomposed random variables as 
IiA,E) = I{A,Ei,En) = I{AEi,En). Since the last 
measurement targets one qubit in a BB84 state, = ^ 
and I{A,E) = This completes our proof that the 

gate Un limits the information provided by an intercept- 
resend attack to at most 1/(2A^) per bit. 
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